How Okta

Whitepaper
November 2020

Integrates
Applications
An architectural overview

Okta Inc.
100 First Street
San Francisco, CA 94105
[email protected]
1-888-722-7871
Whitepaper How Okta Integrates Applications

Contents 2 Okta: Enterprise Identity, Delivered

2 Integrating Applications with the Okta Service
3 Cloud, On-premises,and Mobile Applications
4 Single Sign-On to ANY Application
8 Single Sign-On for Active Directory
Authenticated Web Apps
9 Enabling User Management
10 Conclusion
Whitepaper How Okta Integrates Applications 2

Okta: Okta is an enterprise grade identity management service, built from the ground up in
the cloud and delivered with an unwavering focus on customer success. With Okta IT

Enterprise can manage access across any application, person or device. Whether the people are
employees, partners or customers or the applications are in the cloud, on premises or
Identity, on a mobile device, Okta helps IT become more secure, make people more productive,

Delivered and maintain compliance.

White paper

Okta: Enterprise Identity, Integrating Applications with the

Delivered Okta Service
Okta is an enterprise grade identity management service, built from Unlike other identity management solutions, Okta is not simply

Integrating Unlike other identity management solutions,a Okta

the ground up in the cloud and delivered with an unwavering focus isyou
toolkit that

to connect your web applications to your user directories. That takes too much of your
on customer success. With Okta IT can manage access across any
notuse simply
to connect a
yourtoolkit that to
web applications you youruse
user directories. That takes too much of your time and resources.

Applications
application, person or device. Whether the people are employees, Instead, Okta “integrates” applications into its service for you,
time and
partners resources.
or customers Instead,
or the applications Okta
are in the cloud,“integrates”
on andapplications into
you simply deploy these its service
pre-integrated for you,
applications and
to your

you simply deploy these pre-integrated applications to your users as necessary. You can
with the
premises or on a mobile device, Okta helps IT become more users as necessary. You can authenticate these users against your
secure, make people more productive, and maintain compliance. own user store (e.g. Active Directory or LDAP) or you can use
authenticate these users against your own user store (e.g. Active Directory or LDAP)
Okta as the user store. Okta is unique in providing quick, feature

Okta Service or you can use Okta as the user store. Okta rich is unique
integrations in
withproviding quick,
web based and native feature
mobile rich
applications,

integrations with web based and native mobile applications, whether these are in the
whether these are in the cloud, on-premises or on your
smartphone or tablet. These integrations are delivered as a part
cloud, on-premises or on your smartphone oroftablet. These
the Okta service integrations
and include aremanagement
both SSO and user delivered
as a part of the Okta service and include bothcapabilities. SSO and user management capabilities.
This document describes the various ways Okta
integrates applications into its service.
This document describes the various ways Okta integrates applications into its service.

Okta Application Network

People Applications

Single Sign-On CRM HR

Support
Email
Finance
SCM Public Cloud BI
Content Management ERP
Collaboration
File Sharing

Administration & Reporting My Company Network

Okta Cloud Services Platform

Single Sign-On User Management

Firewall Web Apps Directory HCM

Logging & Reporting

Okta: Managing Access across Any Application, Device or Person

Okta: Managing Access across Any Application, Device or Person

1
Whitepaper How Okta Integrates Applications 3

Cloud, It is useful to start with a distinction between cloud, on-premises and mobile apps.

On-premises, For typical cloud based applications (e.g. Salesforce, Google Apps, Workday, etc.), these
integrations are delivered as a part of Okta’s Application Network. Administrators

and Mobile simply select from Okta’s list of thousands of supported applications, use a simple
wizard answering basic questions about their specific instance of the applications
Applications (such as URL and administrative IDs) and Okta handles the rest.

All technical details (such as SSO protocols and user management API implementations)
are encapsulated in the service and continually maintained by Okta on your behalf.
These applications may use a standard like SAML or OpenID, they may use a proprietary
API, or they may use Okta’s Secure Web Authentication (SWA) protocol.

Many of the most popular on premises web based applications (Oracle Apps, Lawson,
Jira, etc.) are also included in the Okta Application Network. For custom developed
on-premises web based applications Okta provides a range of integration options as
well. Secure Web Authentication integration for SSO can be easily added, Okta has
SAML toolkits that can be used to SAML enable your apps, and Okta also supports
provisioning and deprovisioning into applications that expose user management APIs
publicly.

Okta also provides easy access to mobile enterprise applications from any device.
Whether your enterprise apps are HTML5 web apps optimized for mobile platforms
or Native iOS or Android apps, Okta has a solution. Any web application in the Okta
Application Network can be accessed with single sign on from any mobile device.
Mobile web apps can use industry standard SAML, or they can use Okta’s Secure Web
Authentication SSO technology. Native applications like Box Mobile can be integrated
using SAML authentication for registration and OAuth for ongoing use.

ions are delivered as a part of Okta’s
strators simply select from Okta’s
Whitepaper
d applications, use a simple wizard
out their specific instance of the
d administrative IDs) and Okta handles
having to re-enter credentials. It is important to note that this SSO
experience only works well when ALL applications are covered; if
How Okta Integrates Applications 4
some applications cannot be supported then it’s not truly single-
Okta Datasheet: Corporate
sign on. For this reason, Okta employs several methods to enable
SSO into different web applications.
Connect Everything
Okta first establishes a securely authenticated session with the
Identity management for all your people, all your devices, and all your
applications.

user’s browser. Once this session has been established, Okta can
SSO protocols and user management

Single Sign-On
A New World Built on Identity Controlling User Access
Okta creates
authenticate thea user
seamless
to anyuser experience
connected by providing
application using single
one of sign-on to ALL of the
capsulated in the service and In the last decade, enterprises everywhere have Controlling who has access to which applications
web andapps
mobile applications users need.becomes
Users log in once, and can then launch each

to ANY
two
embraced SSO
cloudintegration methods.
like Salesforce.com, and Okta’s SSO integrations canwhen
a real challenge either
users can get access from
ta on your behalf. These applications application
NetSuite; GoToMeeting without
and WebEx; having to re-enter
and Workday and credentials. It isany
any browser, from important
place, at any to
time.note that this SSO
This situation
be federated (i.e. supporting a standard such as SAML orcloud
another
experience only works well when ALL applications are covered; if some applications
Application
SuccessFactors. They’ve shrunk their IT infrastructure, is exacerbated with the as IT is often not involved
or OpenID, they may use a
lowered their total cost of ownership, and made it in the purchasing process. Okta lets IT take back control,
proprietary
cannot befederated
supported authentication
then it’s not protocol)
at truly single
or they For
sign-on. canthisleverage
reason,
layer ofOkta
securityemploys
use Okta’s Secure Web Authentication possible for employees to get work done anywhere, while simultaneously adding a critical

several
any hour.
Okta’s methods
Secure Webto enable SSO into
Authentication different
(SWA) web applications.
and ease of use.
to perform a secure,
But the change hasn’t come easy. IT departments still
form-driven post to the application loginPassword page, signing Fatigue in the user
Okta first establishes a securely authenticated session
have to manage all of their on-premises apps and
with the user’s browser. Once
premises web based applications infrastructure, only now it is more difficult because they
lack athis
singlesession hastheir
been established,
devices. What Okta number
can authenticate the user to any connected
Visit any organization that has adopted a reasonable
automatically on
view of all users,
behalf.
apps, and of cloud apps and you will find people suffering
tc.) are also included in the Okta application using one of two SSO integration
is needed is a common identity platform to connect the frommethods. Okta’s
password fatigue. Not SSO integrations
only must users remember can either
enterprise. By choosing Okta, companies are solving the
tom developed on-premises web be federated (i.e. supporting a
challenges that have been created by new cloud and
standard such as SAML or another proprietary
a constantly changing set of passwords, but each cloud
federated
app has different password requirements. To lessen the

ides a range of integration options mobileauthentication

technologies and are protocol) or they tocan leverage
preparing themselves Okta’s
Okta’s
burden, “My
people Secure Webpasswords,
Applications”
resort to obvious Authentication
sticky notes,(SWA)

to perform a secure, form-driven post to the

meet the next wave of innovation.
application
and spreadsheets. Theylogin
all but page,
issue an signing
invitation toin
anthe user
cation integration for SSO can be landing
outsider seekingpage provides
to breach the network.aLuckily, password
automatically on their behalf. fatigue has an easy cure. Okta Single Sign-On lets users
toolkits that can be used to SAML simple
access any app launch point
with a single to
set of credentials.

lso supports provisioning and de- all applications.

s that expose user management APIs Okta’s “My Applications”
landing page provides a
simple launch point to all
ss to mobile enterprise applications applications.

ur enterprise apps are HTML5 web

atforms or Native iOS or Android apps,
application in the Okta Application
h single sign on from any mobile
Okta Home Page
Okta’sNative
Okta’s NativeiOSiOS
app app runs
runs
Assigning Applications
use industry standard SAML, or
on iPADs and iPhones.
on iPADs and iPhones.
Web Authentication SSO technology.
Mobile can be integrated using SAML
1
n and OAuth for ongoing use.

2
Whitepaper How Okta Integrates Applications 5

Standards based SSO Secure W

There are multiple Standards-based ways to do SSO. Because For web app
Okta is a cloud service, we have the ability to add support for single sign-o
any standards, i.e. we are not forced to choose one standard or (SWA) techno

Standards
another.
based SSO When SWA is
Okta supports numerous federated SSO protocols including additional lin
There are multiple Standards-based ways to do SSO. Because Okta is a cloud service,
we have the
standards ability
such to add(1.1
as SAML support for any
and 2.0). standards,
Some i.e. we
application are not forced to choose
vendors and through
one
onlystandard
support or another. federated SSO protocols, but Okta
proprietary the secure st
supports
Okta those
supports as well so
numerous that youSSO
federated don’t have toincluding
protocols worry—it just
standards an encrypted
such as SAML (1.1
and 2.0).
works. If Some application
an application vendors
needs only support
authorization proprietary
support federated SSO protocols,
for OpenID, customer sp
but
OktaOkta
can supports
easily addthose as well
support so that
for that you don’ttoo.
application have to worry—it just works. If an
application i
application needs authorization support for OpenID, Okta can easily add support for
the app login
that
Everyapplication
time Oktatoo. adds a new application to its network, every one
of our customers immediately gets access to that application; this SWA can opt
Every time Okta adds a new application to its network, every one of our customers
is why Okta gets
immediately can spend
accessits
to engineering resources
that application; to support
this is why allspend its engineering
Okta can require the u
resources to support
authentication all authentication standards.
standards. apps to be th
more step fo
password en

Configuring

Configuring Google Apps for SAML 2.0 SSO

Configuring Google Apps for SAML 2.0 SSO

 White paper

Whitepaper How Okta Integrates Applications 6

SSO Secure Web Authentication (SWA) for SSO

rds-based ways to do SSO. Because For web applications that do not provide support for federated
e have the ability to add support for single sign-on Okta has developed our Secure Web Authentication
not forced to choose one standard or (SWA) technology.

Secure
When SWAWeb Authentication
is enabled on an application, (SWA)
end usersfor SSO
see an
federated SSO protocols including additional link below the application icon on their Okta home page,
For web applications that do not provide support for federated single sign-on Okta
.1 and 2.0). Some application vendors and through this link users can set and update their credential in
has developed our Secure Web Authentication (SWA) technology.
ederated SSO protocols, but Okta the secure store for that application only. The credential is stored in
When SWA is enabled on an application, end users see an additional link below the
that you don’t have to worry—it just an encrypted format using strong AES encryption combined with a
application icon on their Okta home page, and through this link users can set and update
eeds authorization support for OpenID, customer specific private key. When a user subsequently clicks the
their credential in the secure store for that application only. The credential is stored in
rt for that application too. an encryptedicon,
application format using
Okta strongposts
securely AES the
encryption combined withtoa customer specific
username/password
private
the appkey. When
login pagea user
over subsequently clicks
SSL and the user is the applicationlogged
automatically icon, Okta
in. securely posts
w application to its network, every one
the username/password to the app login page over SSL and the user is automatically
ately gets access to that application; this SWA can
logged in.optionally be made even easier for end users; admins can
engineering resources to support all require the username and password that is used for SWA-based
SWA can optionally be made even easier for end users; admins can require the username
apps to be the same as that user’s Okta credentials, removing one
and password that is used for SWA-based apps to be the same as that user’s Okta
credentials,
more step for removing one(they
end users more step
are no for end prompted
longer users (theyfor
arethe
noinitial
longer prompted for
the initial password
password entry). entry).

Configuring Google Apps for SWA–based SSO

Configuring Google Apps for SWA–based SSO

s for SAML 2.0 SSO

Whitepaper How Okta Integrates Applications 7

White paper
SAML Toolkits for SSO
SAML Toolkits for SSO
For custom web applications that are not in the Okta Application Network, Okta also
For custom web applications that are not in the Okta Application
provides
Network, integration
Okta also toolkits
provides integration toeasily
toolkits to easily
enableenable these applications to support SAML. The

SAML integration toolkits are available for .NET, Java and PHP platforms.
these applications to support SAML. The SAML integration toolkits
are available for .NET, Java and PHP platforms.

Internet Firewall Your Network

Okta AD Active App 1 App 2

MyCo Welcome User | Help | Logout
Directory
Agent(s)
My Applications

Okta SAM L
Gmail Google Google App 2 Google Toolkit
(enables SSO )
Postini Instagram Facebook Twitter App 1

http:///portal.mycompany.com

MyCo Portal

account userID
support
shipping Password

Using Okta’s SAML Toolkit to enable SSO for on-premises web applications
Using Okta’s SAML Toolkit to enable SSO for on-premises web applications

4
Whitepaper How Okta Integrates Applications 8

Single Sign-On Most enterprises have on-premises web applications that can easily be integrated
into Okta’s SSO solution. Many companies also have on-prem web applications that

for Active use Active Directory credentials for authentication. These applications are not using
Integrated Windows Authentication, but instead require the user to enter their AD
Directory credentials when they sign in via a browser. When Okta is configured to delegate

Authenticated authentication to Active Directory, signing in to these internal web applications can
also be automated.

Web Apps The behind-the-scenes steps that enable SSO for AD authenticated internal web
White paper
applications (shown below) are:

Single
1. OktaSign-On
is configured for Active
to delegate authentication to AD.
Directory
2. Customer Authenticated
has on-premises Web apps Appsauthenticating to AD.
3. User logs into Okta with AD credentials.
Most enterprises have on-premises web applications that can easily Okta can leverage its Secure Web Authentication protocol to
4. User accesses
be integrated App 1Many
into Okta’s SSO solution. and App 2alsowith
companies have SWA using AD
automatically credentials.
log users into these internal web applications. When

5. App 1 and App 2 authenticate user against

on-prem web applications that use Active Directory credentials
AD. web application is configured to delegate authentication
an internal
for authentication. These applications are not using Integrated to AD (the same source to which Okta delegates authentication),
Windows Authentication, but instead require the user to enter
Okta can leverage its Secure Web Authentication protocol to automatically log users
Okta captures the user’s AD password at login and automatically
their AD credentials when they sign in via a browser. When Okta is sets that password for that user in any applications that also
into these internal web applications. When andelegate
configured to delegate authentication to Active Directory, signing internal web
to AD. This application
allows is configured
users to simply click a link to access to
delegate authentication to AD (the same source to which Okta delegates authentication),
in to these internal web applications can also be automated. these applications, and then be logged in automatically. Note that
Okta synchronizes the AD password securely; if the password
Okta captures the user’s AD password at login and automatically sets that on password
The behind-the-scenes steps that enable SSO for AD authenticated
subsequently changes in AD, this event is captured login to Okta
internal web applications (shown below) are:
for that user in any applications
1. Okta is configured to delegate authentication to AD.
that also delegate to AD. This allows users to simply
and immediately updated in the secure password store for that
application, ensuring that the next login attempt will be successful.
click a link
2. Customer to access
has on-premises apps these applications,
authenticating to AD. and then be logged in automatically. Note
that Okta
3. User logs intosynchronizes the AD password securely; if the password subsequently
Okta with AD credentials.

changes in App
4. User accesses AD, this
1 and App 2event
with SWA is captured
using AD credentials.on login to Okta and immediately updated in

the secure
5. App 1 and Apppassword store
2 authenticate user against for
AD. that application, ensuring that the next login attempt

will be successful.

Internet Firewall Your Network

2
5
Okta AD Active App 1 App 2
MyCo Welcome User | Help | Logout
Directory
Agent(s)
My Applications

Gmail Google Google App 1 Google

4
Postini Instagram Facebook Twitter App 2

http:///portal.mycompany.com

MyCo Portal 3

account userID
support
shipping Password

Okta enables SSO for AD authenticated internal web applications

Okta enables SSO for AD authenticated internal web applications

5
Whitepaper How Okta Integrates Applications 9

Enabling User User management is defined as the provisioning of new accounts for new users,
deprovisioning of accounts for deactivated users, and keeping user attributes

Management synchronized across multiple directories as necessary. Okta’s user management features
enable the service to automatically manage user accounts within applications, saving
you time and money and ensuring correct access privileges are always up to date. User
management is bidirectional, so accounts can be created inside the application and
imported into Okta, or account information can be added to Okta and then pushed to
the corresponding applications.

There are three core areas of user management functionality that Okta provides:

1. Bulk user import (from a variety of sources)

2. Ability to natively create, read, update, and delete (CRUD) users within Okta
3. Password synchronization / password push (across multiple directories)

For user management integrations Okta supports OAuth 2.0 based authentication,
and if an application supports lesser known standards such as SCIM or SPML, Okta
can leverage those for user management as well. Similar to SSO access, Okta does the
work of connecting to these APIs for you; there is no “connector” work for you to do
yourself. To enable user management you simply configure Okta with credentials for
your API user and select the features that you would like. Everything else is handled by
the Okta service, including continuous automated testing and (if necessary) updates
as the capabilities of the application inevitably evolve.

On-premises applications can also be integrated into Okta to enable user management.
This can be done in one of two ways: leveraging Active Directory or using web services
to manage user accounts in applications:

• For enterprises that on-board users via an HRMS like Workday, Okta can support
user management into on-premises applications by using Active Directory as a
meeting point. You can configure Okta to mange accounts in your Active Directory
instance, and Okta will create and update users in AD based on user accounts in
Workday. This information can then be used by any on-premises web application
that uses Active Directory as its user store.

• Alternatively, Okta’s can support user management for any on-premises web
application that has a web services API that can be made available to the Okta
service via a publicly addressable connection. Okta will make calls to that
application’s web service to create new user accounts, update attributes, and
deactivate users as needed based on the user assignment rules configured in the
Okta service. Okta can provide detailed examples of web services APIs as well.
Whitepaper How Okta Integrates Applications 10

Conclusion Single-sign on and user management are key requirements of any enterprise adopting
cloud and mobile applications alongside their existing web-based on-prem applications.
SSO, as the name implies, only truly works when all applications are covered, and
therefore any credible SSO solution must support a variety of methods to integrate all
the web and mobile applications you need to run your company. Okta uniquely enables
SSO into any web or mobile application using open standards, or proprietary APIs, or
Secure Web Authentication (SWA) and by SAML-enabling on-prem web applications.
Additionally, user management comes pre-integrated for all of the cloud applications
that support this functionality, and on premises apps can be easily incorporated via AD
integration or by provisioning and de-provisioning directly to supported APIs.

About Okta
Okta is the leading independent provider of identity for the enterprise. The Okta
Identity Cloud enables organizations to securely connect the right people to the
right technologies at the right time. With over 6,500 application integrations,
Okta customers can easily and securely use the best technologies for their business.
To learn more, visit okta.com.